Yorimi

Privacy Policy

Last updated: 2026-05-22

This privacy policy (the "Policy") explains how Masanori Iwata (sole proprietor; "we", "us", "our"), under the brand "Orumio", handles personal data and related information of users (including hosts, guests and partners (defined in §1), collectively "Users") of Yorimi (the "Service").

We comply with Japan's Act on the Protection of Personal Information (the "APPI") in the operation of the Service.

1. Scope

The scope of the Service and the scope of our legal-compliance commitments differ between host features and guest features:

  • Host features (property-operator-facing registration and subscription features) are offered with residents of Japan as the primary audience. Service responses based on the data protection laws of the EEA, UK or California (e.g., dedicated channels for GDPR or CCPA rights requests, cookie consent banners) are not provided at this time. Residents of those regions may still access the Service, but it is not offered as a legal-compliance service for those regions.

  • Guest features (share-URL viewing features for guests who have received a URL from a host) are offered with international use in mind. Information collected from guests during viewing is limited to an anonymous identifier (PostHog distinct_id), IP address and rendering quality measurement data (Web Vitals); as a rule, no personally identifying information collection or charging takes place. However, only where a guest voluntarily sends an "experience inquiry" to a host, we collect — based on the guest's consent — the contact details entered (email address and name) and the inquiry content, and pass them on to that host (see §3, §5, §7). Other than in this case, processing for guest features is structurally minimal.

  • Partner features: A host may introduce local shops, people and experiences as "introduction cards" within the stay link they hand to guests. For the subject of such an introduction (a "partner"), the host first enters information about the partner as a third party (shop or person name, contact person, contact details, etc.). The partner themselves can then — via an account-free review page reached through a review link handed over by the host — review the introduction and optionally add a word for guests, welcome conditions, a notification email address and similar details (see §3, §5, §7).

Use of the Service as a guest is intended for those who are at least 13 years of age. Registration as a host and subscription to paid plans is restricted to those who are at least 18 years of age.

2. Operator (Controller)

The Service is offered under the brand "Orumio", but the legal operator is the following sole proprietor:

  • Operator: Masanori Iwata (sole proprietor)
  • Email: support@yorimi.app
  • Privacy Manager: Masanori Iwata
  • Inquiry hours: Weekdays 10:00-18:00 JST
  • Service brand: Orumio (brand) / Yorimi (service name)
  • Data Controller: The above entity acts as the data controller.
  • Address and phone number: Pursuant to Japan Consumer Affairs Agency Act on Specified Commercial Transactions Guideline Q17, these are provided promptly upon request by document or email. Please direct requests to the email address above.

3. Information we collect

Information collected from hosts

  • Account information (email address, display name, profile image, region, biography, etc.)
  • Property information (property name, address, latitude / longitude, welcome message, etc.)
  • Recommendation information (place name, category, Google Maps place identifier, walking time, transit information, photographs, descriptions, etc.)
  • Subscription information (plan type, billing status, trial start / end dates, Stripe customer ID, etc.)
  • Inquiries and feedback content
  • Technical information such as action and error logs and sign-in history

Information collected from guests (minimal as a rule)

  • Share URL view events (anonymous identifier, viewed guide ID, view time, referrer, etc.)
  • Rendering quality measurement data (Web Vitals: LCP / FID / CLS / FCP / TTFB / INP)
  • Technical information (IP address, browser and device information, cookie / SDK identifiers, language and time zone, etc.)
  • Relationship signals (optional actions such as "want to return" / "share"): we record only an anonymous device identifier, with no contact details, and do not collect information that identifies the guest.
  • Experience inquiries (only where a guest voluntarily sends one and has consented): email address, name, inquiry message, time of submission, and a device identifier used to prevent repeated or abusive submissions.

The email address, name and inquiry content in an "experience inquiry" are collected only on the basis of the guest's own input and explicit consent (the purpose is shown before submission), and are used solely to pass the inquiry to the relevant host and for the host's reply (§5, §7).

Information relating to partners

  • Information entered by the host: shop or person name, contact person, contact email address (optional)
  • Information entered by the partner themselves on the review page: a word for guests, welcome conditions, things to note, booking contact, notification email address (optional), and notification / direct-contact settings
  • Review page view events (anonymous identifier, view time and similar technical information)

An introduction card may be published — as an introduction in the host's name — to guests who know the share URL even before the partner reviews it (positioned similarly to references to publicly known shop information on a blog or similar media). However, where the introduction concerns a private individual (subject type "person"), the card is not published until that person has completed the review. If you would like an introduction taken down, we will respond via the guidance on the review page or the contact channel in §15.

Sensitive payment information such as card numbers is handled directly by our payment processor (Stripe) and is not stored by us. Experience inquiries do not involve any booking or payment on the Service.

4. How we collect information

  • Information you provide directly through forms, uploads and similar actions.
  • Information collected automatically through your use of the Service (via cookies, SDKs and logs).
  • Information obtained from connected services (such as the Google Maps Places API).
  • Voluntary feedback and inquiries.

5. Purposes of use

  • Providing, operating and maintaining the Service, including authentication, sign-in, and storage / display of content.
  • Managing host subscriptions (billing, trials, plan change notifications, etc.).
  • Generating and displaying guest-facing share URLs and map views.
  • Creating and displaying introduction cards (showing guests the partner information entered by the host and the word / welcome conditions saved by the partner), and enabling partners to review the introduction (providing the review page).
  • Contacting partners (sending a review-link invitation at the host's request, and — only where the partner has opted in — event notifications; notifications can be stopped at any time).
  • Passing a guest's "experience inquiry" to the relevant host (conveying the contact details and inquiry content to that host, and supporting the host's reply), and preventing repeated or abusive submissions.
  • Responding to inquiries and sending important notices about the Service.
  • Quality improvement and product development (access analytics, error log analysis, pseudonymized behavioral data of in-app interactions with text and input values masked, not intended to identify individuals; strictly speaking, this is "pseudonymized" rather than truly "anonymous").
  • Preventing fraud and abuse and ensuring security.
  • Complying with laws and regulations, protecting our rights and resolving disputes.

6. Cookies, Analytics and Similar Technologies

Analytics and operations tools

  • PostHog: After a host signs in and when a guest views a share URL, we may record pseudonymized behavioral data of screen interactions and capture event measurements. Text and form inputs are masked; the feature is not intended to identify individuals. With person_profiles: 'identified_only', unidentified guests do not get a persisted profile. If your browser sends DNT (Do Not Track) or GPC (Global Privacy Control), PostHog will not perform measurement.
  • Sentry: When errors occur on the Service, we collect the error content, stack trace and related session information to investigate and fix the issue.

Essential, functional and analytics cookies

We use cookies necessary for session management, feature delivery and quality measurement. For details (cookie name, purpose, retention, category), see our Cookie Policy.

7. Sharing and outsourcing

We may share or entrust the processing of personal data to third parties to the extent necessary to achieve the purposes above, and we will appropriately supervise such third parties.

  • Passing experience inquiries (guest → host): we provide the contact details (email address, name) and inquiry content submitted by a guest to the relevant host, based on the guest's explicit consent. The host uses these to reply to the guest. We do not intermediate any payment or booking for this hand-off.
  • Displaying introduction cards (host / partner → guest): partner information entered by the host (shop name, booking contact, etc.) and the content saved by the partner on the review page (a word for guests, welcome conditions, things to note) are displayed to guests who know the share URL.
  • Presenting relay notes (guest → partner): only where a guest uses "introduce me", and based on the guest's explicit consent, the information declared by the guest (name (optional), party size, language, wishes) is presented to the relevant partner. This information is automatically deleted as a rule 14 days after issuance.
  • Payment processing: Stripe (we do not store card information).
  • Infrastructure and delivery: Vercel (hosting, profile image storage via Vercel Blob, Functions), Neon (PostgreSQL database), Inngest (background jobs), Resend (email delivery).
  • Analytics: PostHog (pseudonymized session replay, event measurement), Sentry (error tracking).
  • Maps and place information: Google Maps Platform (Places API, Geocoding API, Maps JavaScript API).
  • Legal compliance, enforcement of rights and business transfers.

8. International transfers (APPI Article 28 compliance)

Our servers and service providers may be located outside Japan. Pursuant to the amended APPI (effective 2022), we disclose below the destination countries, the presence or absence of adequate data protection regimes in those countries, and the measures we take.

Recipient (Vendor)RoleCountry of operationAdequacy decisionMeasures
StripePayment processingUnited States (some Ireland)US not adequate / EU adequateDPA + SCC
VercelHosting / Blob storage / FunctionsUnited States (Global edge)Not adequateDPA + SCC
NeonPostgreSQL databaseUnited States (us-east-1)Not adequateDPA + SCC
InngestBackground job executionUnited StatesNot adequateDPA + SCC
ResendEmail deliveryUnited StatesNot adequateDPA + SCC
PostHogAnalytics + session replay (pseudonymized)United States (US Cloud)Not adequateDPA + SCC
SentryError trackingUnited StatesNot adequateDPA + SCC
Google Maps PlatformMaps display / place infoUnited States (Global)Not adequateDPA + SCC

"Adequacy decision" refers to the country-level data protection regime; individual vendors implement DPA / Standard Contractual Clauses (SCC) and similar safeguards.

9. Legal basis (APPI)

The legal basis for processing personal information in the Service is grounded in APPI Article 17 and following:

  • Specification and publication of purpose (Article 17, 21): Set out in §5 of this Policy.
  • Lawful acquisition (Article 20): Acquisition based on user consent or user-initiated input.
  • Restrictions on third-party provision (Article 27): Lawful outsourcing / provision under §7 of this Policy.
  • International transfers (Article 28): Country names and measures pre-disclosed in §8 of this Policy.

Consent for host features is obtained at sign-up via the User's agreement to the Terms of Service and this Policy. Consent may be withdrawn at any time (see §15 Your rights). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

10. Retention period

We retain personal data for as long as necessary to fulfil the purposes described above, and then delete or anonymise it. From the perspective of payment, tax and fraud prevention, we normally retain transaction-related data for seven (7) years and then anonymise it or take other appropriate measures. Where laws require us to retain data for a longer or shorter period, we will comply.

If a host deletes their account, related property and recommendation information will be promptly deleted or anonymised. Anonymous view events captured from share URLs may continue to be retained for aggregate and statistical purposes only.

Information relating to a guest's "experience inquiry" (contact details and inquiry content) and relationship signals (anonymous device identifiers) are retained for up to 90 days from collection for the purposes of the hand-off, fraud prevention and statistics, and are then deleted or anonymised.

Information relating to partners is retained while the corresponding introduction card is live, and is deleted or anonymised promptly once the introduction card or the partner is deleted. Guest-declared information in relay notes issued to a partner is deleted as a rule 14 days after issuance.

11. Security

We implement reasonable technical and organisational measures to protect personal data, including access controls, encryption in transit and at rest and audit logs. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Publicly shared content and host-generated information

Property names, addresses, recommendations, welcome messages and similar content registered by a host on the Service may be made visible to guests who know the share URL issued by that host. Hosts represent and warrant that they have the necessary rights in such content and that it does not infringe the rights of third parties or violate applicable laws or property-use rules.

13. Special provisions regarding AI features

If we offer AI-powered features (such as recommendation assistance) in the future, input text, generated output and related metadata may be sent to AI service providers. We aim to configure such services with privacy-friendly options (such as opting out from training where available), but the details depend on each provider's specifications. Please avoid entering highly sensitive information into AI features.

14. Children and age requirements

  • Use of the Service as a guest is intended for those who are at least 13 years of age.
  • Registration as a host and subscription to paid plans is restricted to those who are at least 18 years of age.
  • If we become aware of use by a person under 13, we will take steps such as deletion as appropriate.

15. Your rights

Pursuant to the APPI, you may request access to, correction of, suspension of use of, deletion of or similar actions in relation to your personal data (subject to statutory exceptions). To exercise your rights, please contact us at support@yorimi.app.

16. Marketing communications

We may send important notices about the Service to your registered email address. Marketing communications are sent based on your consent or other applicable legal basis. You can change your communication preferences or unsubscribe at any time.

Emails to partners are limited to review-link invitations sent at the host's request and event notifications the partner has opted into; they do not contain advertising content. Event notifications can be stopped at any time via the link in each email or from the review page.

17. Changes to this Policy

We may modify this Policy from time to time in response to changes in laws, regulations or the Service. When we make material changes, we will notify you by posting a notice on the Service or by email and indicate the date of the latest update at the top of this Policy. Notification to existing users will be sent by email and no functional restrictions will be imposed. Consent to the revised Policy will be obtained when a new account is created or a new paid subscription is initiated.

18. Contact

  • Operator: Masanori Iwata (sole proprietor)
  • Service brand: Orumio
  • Email: support@yorimi.app

19. Related documents